Google Analytics and GDPR – Four steps to comply

New rules on collecting personal information are coming into effect. As a user of Google Analytics, here’s how to prepare for GDPR.

DISCLAIMER: I am not a lawyer, this post is focused on Google Analytics and GDPR, and this advice should not be taken as a complete set of instructions on how to comply with the  General Data Protection Regulation.

Long post: Skip to what you want below

  1. What is GDPR?
  2. Google Analytics doesn’t collect personal information – why is GDPR an issue?
  3. Four steps to make sure you comply with GDPR
    1. Confirm you are not collecting personal information
    2:   Check if you are using ‘Advertising Features’ in Google Analytics
    3: Change how Google Analytics tracks IP addresses
    4: Meet with your organizations Data Protection Officer and lawyers

WTH is GDPR?

The General Data Protection Regulation is a new set of rules around the collection and storage of personal information  – names, email addresses, payment information – of European citizens. It comes into effect on May 25, 2018.   If your organization is communicating with supporters in Europe, it’s likely that someone is already working on compliance in your organization.
Here’s   a good introduction to GDPR for charities from The Guardian

Google Analytics doesn’t collect personal information – why is GDPR an issue for Google Analytics admins?

Google Analytic’s terms of service prohibits you from collecting personal information – emails, names, zip codes, – in Google Analytics.   You can collect them from forms on your website, just make sure none of that information makes it’s way into your Google Analytics account.

If the law regulates the collection of personal information, and Google Analytics doesn’t collect personal information, why do you need to do anything to comply with GDPR?

The new regulations define “personal information” to include cookies and other information like IP addresses, user and transaction IDs when they can be used in conjunction with other information to identify a user.

This is referred to as “pseudonymous information” Here’s an example: used alone, I can’t tell from your Google Analytics Client ID that your name is Willem and you live at 646 Hooiblokstraat in the Netherlands.

But if you fill in a form that sends that information to a database at certain date and time, I can technically cross reference that personal information with the Audience > User Explorer  report in Google Analytics and  find out how you, Willem, have browsed our website in the past.   Google Analytics is not collecting information I can trace to you, Willem, but it can be used in conjunction with other data to build a profile of you.  Voorzichtigheid, of course.

Four steps to make sure you comply with GDPR

Step 1:   Confirm you are not inadvertently collecting personal information in Google Analytics

Collecting any personally identifiable information in Google Analytics is against the terms of service, and Google Analytics can shut your account if you break this agreement.   That said, your technical platform may be sending personal information to Google Analytics without you knowing it.

This most often happens when users submit their information in a form – for example when subscribing to an email list.   The email is included in the URL or title of the confirmation page, and Google Analytics stores it in the Page dimension.

Here’s a quick check to see if you are doing this: In Google Analytics go to Behavior > Site Content and in the search field enter the @ symbol. If you are recording email addresses in URLs and passing them to Google Analytics, you will see them here.

Screenshot of Google Analytics Behavior > Site Content > search for @ symbol and resulting email addresses that shouldn't be in GA

 

To fix this particular instance, we stopped Google Analytics from recording the “Email” parameter in page URLs by clicking on the Google Analytics Admin  (“gear” icon) > View Settings > Exclude URL Query Parameters and entered Email

Fix for Personally Identifiable Information in Google Analytics email

This is the most common way that personal information gets into your Google Analytics account – I see it all the time with particular platforms that are set up to include email addresses in URLs.

Other possibilities for coll are when a Custom Dimension is set with personal information – though this wouldn’t be by accident, a developer would have intentionally set up that form functionality.

My sense is that inadvertent storage of personal information in Google Analytics something that Google is going to be much more vigilant about, and start enforcing more proactively.

Step 2:   Check if you are using ‘Advertising Features’ or “User ID” in Google Analytics

The cookies used by Google Analytics to create Adwords remarketing lists and demographic reports are referred to as ‘Advertising Features’, and are considered personal data by the new regulations.

If you are NOT using these features, you can simply disable them from Admin > Property Settings > Tracking Info > Data Collection.

How to switch off Advertising Features in Google Analytics if you're not using them.

If you are using Adwords remarketing campaigns, demographics reports or other ‘Advertising Features’ and want to continue to use these features, go to step 4 below.

Step 3: Change how Google Analytics tracks IP addresses

Internet Protocol addresses may be considered ‘personal information’ by the new regulations, and Google Analytics can be set to ‘anonymize’ this information.   A change to the Google Analytics tracking code is required, see two options below.   Note that this change will slightly affect the accuracy of the geographical information collected in Google Analytics.

If you are using Google Tag Manager, set the ‘Anonymize IP’ option in your Google Analytics Settings variable as shown.

How to switch your Google Analytic tracking code to Anonymize IP in Google Tag Manager

If your Google Analytics tracking code is included in the code of your site, add the following line to the Google Analytics tracking code:   ga(‘set’, ‘anonymizeIp’, true);

More instructions are here: https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference#anonymizeIp

and here: https://support.google.com/analytics/answer/2763052?hl=en

Step 4: Meet with your organizations Data Protection Officer and lawyers

If your organization is collecting personal information online from an international audience, your organization should already be preparing for GDPR compliance.   People in your org have been hard at work cataloguing the information they collect, who stores it and why, and updating privacy and opt-in policies.

If you are using Google Analytics ‘Advertising Features’ such as Adwords remarketing, make sure that the group preparing for these regulations knows that Google is collecting some information that will be regulated under the GDPR.  

Your organization will need to get informed consent from European users, letting users know in detail what information is being collected, what it will be used for and how long it will be retained. They must actively opt-in for you to track them with “Advertising Features” in Google Analytics. You will also need to be able to delete their data upon request. Google has assured us that they will have this ‘data deletion’ functionality in place in time for GDPR Day, May 25th 2018.

If your organization collects emails and other personal data from European supporters and don’t have anyone working on GDPR compliance, tell senior management that the regulations go into effect on May 25th and it would be wise to be prepared. My advice: don’t volunteer to lead this project, pick another hill.